The Hacker News — Cyber Security, Hacking, Technology News

Security researchers have been warning for years about critical security holes in the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.

Cellular networks, on the other hand, have consistently been ignoring this serious issue, saying that it is a very low risk for most people, as the exploitation of the SS7 flaws requires significant technical and financial investment.

But some unknown hackers have just proved them wrong by recently exploiting the design flaws in the SS7 to drain victims' bank accounts, according to a report published Wednesday by German-based newspaper Süddeutsche Zeitung.

SS7 is a telephony signaling protocol created in the 1980s by telcos and powered more than 800 telecom operators across the world, including AT&T and Verizon, to interconnect and exchange data, like routing calls and texts with one another, enabling roaming, and other services.

Real-World SS7 Attack Scenarios

The global telecom network SS7 is vulnerable to several design flaws that could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.

The designing flaws in SS7 have been in circulation since 2014 when a team of researchers at German Security Research Labs alerted the world to it.

Last year, Karsten Nohl of German Security Research Labs demonstrated the SS7 attack on US Congressman Ted Lieu's phone number (with his permission) at TV program 60 Minutes and successfully intercepted his iPhone, recorded call, and tracked his precise location in real-time just by using his cell phone number and access to an SS7 network.

In a separate demonstration, the researchers from Positive Technologies last year also gave a demonstration on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by the services.

Thieves Using SS7 Flaw to Steal Money From Bank Accounts

Now, Germany's O2 Telefonica has confirmed that the same SS7 weaknesses have recently been exploited by cybercriminals to bypass two-factor authentication (2FA) banks used to prevent unauthorized withdrawals from users bank accounts.

"Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January," an O2 Telefonica representative told Süddeutsche Zeitung. "The attack redirected incoming SMS messages for selected German customers to the attackers."

Here's How:

The attackers first spammed out traditional bank-fraud trojans to infect account holders' computers and steal passwords used to log into bank accounts, view accounts balance, along with their mobile number.

But what prevented the attackers from making money transfers is the one-time password the bank sent via a text message to its online banking customers in order to authorize the transfer of funds between accounts.

To overcome this issue, the cyber crooks then purchased the access to a fake telecom provider and set-up a redirect for the victim's phone number to a handset controlled by them. Specifically, they used SS7 to redirect the SMSes containing OTPs sent by the bank.

Next, the attackers logged into victims' online bank accounts and transferred money out, because as soon as the authorization codes were sent by the bank, instead of designated account holders, they were routed to numbers controlled by the attackers, who finalized the transaction.

Can You Avoid this Hack?

This latest SS7 attack once again shed light on the insecurity by design and lack of privacy in the global telephone network protocol, making it clear that real-world SS7 attacks are possible. And since the SS7 network is used worldwide, the issue puts billions of users in danger.

Although the network operators are unable to patch the hole anytime soon, there is little the smartphone users can do. Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.

The latest dump of hacking tools allegedly belonged to the NSA is believed to be the most damaging release by the Shadow Brokers till the date.

But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month's Patch Tuesday update.

"Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering," Microsoft Security Team said in a blog post published today.

On Good Friday, the Shadow Brokers released a massive trove of Windows hacking tools allegedly stolen from NSA that works against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and their server-side variants such as Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.

The hacking exploits could give nearly anyone with technical knowledge the ability to break into millions of Windows computers and servers all over the Internet, but those which are not up-to-date.

"Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk." Microsoft says.

The data dump also includes some top-secret presentations and excel sheets, indicating that the leaked exploits may have been used to hack the SWIFT banking system of several banks across the world.

The most noteworthy exploit in the Friday's dump is Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could cause older versions of Windows to execute code remotely.

Matthew Hickey, a security expert and co-founder of Hacker House, also published a video demonstration, using this exploit against a computer running Windows Server 2008 R2 SP1 and pulling off the hack in less than 2 minutes with another alleged zero-day FuzzBunch, which is being used to compromise a virtual machine running Windows Server 2008.

But if the company already patched this flaw last month, then how could this exploit works against an updated machine? It seems like the researcher tried this exploit against a Windows PC without installing the latest updates.

"The patches were released in last month's update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable - if you apply MS17-010 it should protect hosts against the attacks," Matthew clarifies during a conversation with The Hacker News.

No Acknowledgement for SMB RCE Issue by Microsoft

There's also news floating around the Internet that the "NSA has had, at a minimum, 96 days of warning," knowing that the Shadow Brokers could drop the files at any time, but the agency did not report the flaws to Microsoft.

The Intercept also reported that Microsoft told it that the company had not been contacted by any "individual or organization," in relation to the hacking tools and exploits released by the Shadow Brokers.

The vulnerabilities have already been patched by Microsoft, which acknowledges all security researchers for reporting the issues in its products, but, interesting, there are no acknowledgments for MS17-010 which patched most of the critical flaws from the Shadow Brokers dump.

Update:Most of the exploits made publicly available (mentioned in this article) by the Shadow Brokers group are already patched by Microsoft in the last month's Patch Tuesday update.So, it is always recommended that you keep your systems up-to-date in order to prevent you from being hacked.

The Shadow Brokers – a hackers group that claimed to have stolen a bunch of hacking tools from the NSA – released today more alleged hacking tools and exploits that target earlier versions of Windows operating system, along with evidence that the Intelligence agency also targeted the SWIFT banking system of several banks around the world.

Last week, the hacking group released the password for an encrypted cache of Unix exploits, including a remote root zero-day exploit for Solaris OS, and the TOAST framework the group put on auction last summer.

The hacking tools belonged to "Equation Group" – an elite cyber attack unit linked to the National Security Agency (NSA).

Now, the Shadow Brokers group just published a new 117.9 MB of encrypted archive via its new blog post, titled "Lost in Translation," which can be unlocked by anyone using password "Reeeeeeeeeeeeeee."

Someone has already uploaded the unlocked archive on GitHub and listed all the files contained in the dump released by the Shadow Brokers, which includes 23 new hacking tools.

Security researchers have started delving into the dump to determine the capabilities of the alleged exploits, implants and payloads that are claimed to work against Windows platforms.

NSA DUMP: Windows, Swift, and OddJob

The latest dump comprises of 3 folders: Windows, Swift, and OddJob.

"So this week is being about money. TheShadowBrokers showing you cards theshadowbrokers wanting you to be seeing. Sometime peoples not being target audience. Follow the links for new dumps. Windows. Swift. Oddjob," the Shadow Brokers latest blog post reads.

The Windows folder holds many hacking tools against Windows operating system, but works against only older version of Windows (Windows XP) and Server 2003, according to researchers.

Another folder, named OddJob, contains a Windows-based implant and includes alleged configuration files and payloads. While the details on this implant are scarce at the moment, OddJob works on Windows Server 2003 Enterprise up to Windows XP Professional.

Some of the Windows exploits were even undetectable on online file scanning service VirusTotal, Security Architect Kevin Beaumont confirmed via Twitter, which indicates that the tools have not been seen before.

"A lot of good remote exploits in the #EquationGroup tools. Just a few well-designed 0days is enough to pwn the planet," tweeted another security researcher, who uses Twitter handle x0rz.

The SWIFT folder contains PowerPoint presentations, evidence, credentials and internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.

SWIFT (Society for Worldwide Interbank Telecommunication) is a global financial messaging system that thousands of banks and organizations across the world use to transfer billions of dollars every day.

"A SWIFT Service Bureau is the kind of the equivalent of the Cloud for Banks when it comes to their SWIFT transactions and messages; the banks' transactions are hosted and managed by the SWIFT Service Bureau via an Oracle Database and the SWIFT Softwares," security researcher Matt Suiche explains in a blog post.

The folder includes SQL scripts that search for information from the Oracle Database like the list of database users and the SWIFT message queries.

Besides this, the folder also contains Excel files that indicate that the NSA's elite cyber attack unit Equation Group had hacked and gained access to many banks around the world, the majority of which are located in the Middle East like UAE, Kuwait, Qatar, Palestine, and Yemen.

More key findings will come as soon as other security researchers delve into the latest dump.

This release is the latest from the Shadow Brokers desk and at the moment, it's not confirmed whether the hacking group holds more NSA hacking tools and exploits or this one is the last batch it stole from the United States intelligence organization.

UPDATE: EastNets Denies SWIFT Hacking Claims

In an official statement published today, EastNets denies that its SWIFT bureau was compromised, and says the reports of hack are "totally false and unfounded."

"The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded. The EastNets Network internal Security Unit has run a complete check of its servers and found no hacker compromise or any vulnerabilities."

"The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013."

An Eastern European gang of criminals has stolen over 12 Million Baht (approximately US$350,000) from a total of 21 ATMs in Bangkok and other five provinces by hacking a Thai bank's ATM network; police said Wednesday

The Central Bank of Thailand (BoT) has issued a warning to all commercial banks about security flaws in roughly 10,000 ATMs that were exploited to steal cash from the machines.

The warning came shortly after the state-owned Government Savings Bank (GSB) shut down approximately 3,000 of their ATMs following an ongoing police investigation into the recent hack in which hackers were able to infect many its cash machines with malware.

GSB found that millions of Thailand Baht were stolen between August 1 and 8 from 21 ATMs across the provinces of Bangkok, Phuket, Chumphon, Prachuap Khiri Khan, Phetchaburi, and Surat Thani, the Bangkok Post reports.

The hackers made over 12.29 Million Thailand Baht (US$346,000) by inserting cards installed with malware into multiple ATMs to spew out cash, up to 40,000 Baht each transaction.

GSB President Chartchai Payuhanaveechai told the local media that the bank has reviewed security camera footage and identified potential suspects as foreign nationals who infected their cash machines with malware that forced them to dispense cash.

Payuhanaweechai also ensured its customers that they are not affected by the theft as the gang's malware only tricked the bank ATMs to release cash without authorization, not from customers' accounts.

Thai police suspect a ring of at least 25 Eastern European nationals committed the crime and link them to a similar hacking theft occurred last month when the top eight banks in Taiwan were forced to shut down hundreds of its ATMS after thieves used malware to steal NT$70 Million ($2.17 Million) in cash.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!